CyberSecurity

Tag: ATO

  • ATO and ATC

    Difference between DITSCAP and DIACAP ATO:

    Although the acronym “ATO” was used in DITSCAP and is now being used in the DIACAP process, the DIACAP ATO is “Authority to Operate” and replaces the DITSCAP “Approval to Operate”. The essential meaning is the same. An ATO is still a statement that marks a formal Accreditation Decision issued by the DAA.

    E2.2. Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. (DOD 8510.01)

    E2.8. Authorization to Operate (ATO). Authorization granted by a DAA for a DoD IS to process, store, or transmit information. An ATO indicates a DoD IS has adequately implemented all assigned IA controls to the point where residual risk is acceptable to the DAA. ATOs may be issued for up to 3 years. (DOD 8510.01)

    E2.19. Designated Accrediting Authority (DAA). The official with the authority to formally assume responsibility for operating a system at an acceptable level of risk. This term is synonymous with designated approving authority and delegated accrediting authority. (Reference (d) leads with the term designated approving authority, which was favored at the time of publication.). (DOD 8510.01)

    Connection to the NIPRNet/GIG:

    To connect to the Global Information Grid (which includes the NIPRNet/SIPRNet) an Approval To Connect is need.

    Authority to Connect (ATC). The ATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management and reflects the completion of a successful network vulnerability assessment by the DISA SCAO. CJCSI 6211.02B 31 July 2003

    Interim Approval to Connect (IATC). The IATC defines the customer’s connection boundaries as accepted by the DISN SIPRNET Management. CJCSI 6211.02B 31 July 2003

  • DIACAP Activity #3 Make Certification Determination and Accreditation Decision

    Make Certification Determination

    Once all of the validations have been complete its time for the IA Component to make a certification determination. They examine the system and may call for additional documentation to verify certain IA features. Waivers, memoradums and other documentation may be required for completion of the certification. The IA Component may need additional scan results. This can sometimes make the process much longer than it should be.

    Issue Accreditation Decision

    Once the all documentation and scans for the certification have been completed it is out of your hands. The IA Component will push the package forward for final Accreditation approval. The DAA usually takes the recommendations of the IA Component so its best to have complied with all of their wishes.

    The DAA will issue an ATO, IATO, ATC or IATC.

     

    E2.2. Accreditation Decision. A formal statement by a designated accrediting authority (DAA) regarding acceptance of the risk associated with operating a DoD information system (IS) and expressed as an authorization to operate (ATO), interim ATO (IATO), interim authorization to test (IATT), or denial of ATO (DATO). The accreditation decision may be issued in hard copy with a traditional signature or issued electronically signed with a DoD public key infrastructure (PKI)-certified digital signature. (DOD 8510.1)

    More on ATOs & ATC’s